What is CVE-2019-14379?

CVE-2019-14379 is a critical-severity vulnerability in Apple Xcode, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 9.8/10. Published 2019-07-29.

How severe is CVE-2019-14379?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2019-14379 known to be exploited?

8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Prototype Pollution in Apple Xcode

CVE-2019-14379

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

Vulnerability class: Prototype Pollution

EPSS: 0.080 (94.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Apple Xcode
Fasterxml Jackson-databind
Netapp Active_iq_unified_manager
Netapp Oncommand_workflow_automation
Netapp Service_level_manager
Netapp Snapcenter
Oracle Banking_platform — versions 2.4.0, 2.4.1, 2.5.0
Oracle Communications_diameter_signaling_router — versions 8.0.0, 8.1, 8.2
Oracle Communications_instant_messaging_server — versions 10.0.1.3.0
Oracle Financial_services_analytical_applications_infrastructure

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

Public proof-of-concept exploits

References

cve@mitre.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
cve@mitre.org (mailing-list, x_refsource_MLIST)
cve@mitre.org (mailing-list, x_refsource_MLIST)
cve@mitre.org (mailing-list, x_refsource_MLIST)
cve@mitre.org (mailing-list, x_refsource_MLIST)
cve@mitre.org (mailing-list, x_refsource_MLIST)
cve@mitre.org (mailing-list, x_refsource_MLIST)
cve@mitre.org (mailing-list, x_refsource_MLIST)
cve@mitre.org (mailing-list, x_refsource_MLIST)
cve@mitre.org (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2019-14379?: CVE-2019-14379 is a critical-severity vulnerability in Apple Xcode, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 9.8/10. Published 2019-07-29.
How severe is CVE-2019-14379?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2019-14379 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.